Author: Rob Brickman, 2018
What’s MBN and Why Should My Organization Care?
Starting November 1st, 2018, new Federal Mandatory Breach Notification (MBN) regulations require your organization to report on certain privacy breaches under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).
You May Not Be Ready
Cyber-security, legal and other risk experts are expressing real concern about how ready Canadian organizations are to comply with MBN. Without adequate preparation for MBN, your company could face penalties including fines for failing to report, a negative impact on your brand, audit exposures and the potential for class action suits.
How Widespread Are Breaches?
New data tells us that frequency, scope and costs of cybersecurity breaches are huge. The IBM/Ponemon Institute “Cost of Data Breach” study recently concluded that 90% of Canadian companies experienced a breach in 2017, at an average of 22,000 records per breach. The average cost per breach was over $6 million
Despite these sobering figures, Ernst & Young estimates that less than 10% of IT budgets are targeted to cybersecurity and breach management. Your company may be focused on the technical security that keeps the organization and your customers safe, but you may not be ready for MBN.
Why Is Breach Reporting So Complex?
We’ve identified several elements that make MBN uniquely challenging:
- Cybersecurity is a moving target – Ajay Sood at Symantec has noted that in cybersecurity “as the adversary changes its tactics and targets, organizations must alter their defences and countermeasures”.
- New processes are required: Meeting MBN requirements demands re-designed, replicable processes and playbooks that integrate seamlessly with a patchwork of underlying cyber and breach technologies. Many of these may not be in your control.
- Reliance on Third Parties – To manage cybersecurity, organizations may rely on a web of third-party Saas, IaaS and Managed Security Service Providers (MSSPs) for security infrastructure and incident management. Sometimes the service provider, networks and data reside outside Canada. Your existing contracts, SLAs and shared processes may not anticipate MBN requirements.
- Complexity of tools – Effective MBN reporting is driven by data that come from multiple tools and systems which may be both inside and outside your organization’s control.
- Matrixed roles – When incidents and breaches occur, dozens of stakeholders, both internal and external to your organization, are affected by what happens. Your board, leadership, IT and Security, Business Continuity, Customer Support, Compliance, Legal, Regulatory, Risk Management, business partners and other functions all have a role to play…as do your customers.
- Funding – IT, Finance and other budgets may not have provided for the true costs of breach management, assessment and notification efforts.
- Enforcement – the MBN requirements are new and confusing. The enforcement regime has yet to be defined by the Office of the Privacy Commissioner or the Attorney General.
How Can TPG Help? The TPG “MBN Readiness Assessment”
The Poirier Group is one of Canada’s leading consultancies in focused performance improvement, with particular expertise in process design and change management. We are uniquely equipped to help you plan and execute your MBN response.
To get started, we’ve developed a rapid MBN Readiness Assessment engagement. This exercise quickly highlights gaps in organizations’ MBN posture and recommends immediate steps to remediate processes and responsibilities, whether incidents and breaches are managed internally or by MSSPs.